Safeguard and Secure Cyberspace (Cybersecurity and Critical Infastructure)

Selected Projects:

An Integrated Approach for Physical and Cyber Security Risk Assessment: the U. S. Army Corps of Engineers Common Risk Model for Dams

Common Risk Model for Dams (CRM-D), developed by the U.S. Army Corps of Engineers (USACE) in collaboration with the Institute for Defense Analyses (IDA) and the U.S. Department of Homeland Security (DHS), is a consistent, mathematically rigorous, and easy to implement method for security risk assessment of dams, navigation locks, hydropower projects, and appurtenant structures. The methodology provides a systematic approach for independently evaluating physical and cyber security risks across a portfolio of dams, and informing decisions on how to mitigate those risks. The CRM-D can effectively quantify the benefits of implementing a particular risk-mitigation strategy and, consequently, enable return-on-investment analyses for multiple physical and cyber security risk-mitigation alternatives and facilitate their implementation across a portfolio of dams. A cyber security risk model to facilitate high-level risk assessments of industrial control systems used to control dam critical functions is also being implemented.

Improving Governance and Budget Execution Oversight at the DHS National Protection and Programs Directorate (NPPD)

This work began with a systematic look at the National Protection and Programs Directorate (NPPD) resource allocation process, focusing particularly on strategic planning and budget execution. IDA created a review panel of experts drawn from within IDA and from outside experts with extensive experience in resource allocation and governance at large governmental organizations. The panel met with leaders of programs and processes at NPPD and officials from DHS headquarters, and developed a set of recommendations to improve NPPD governance processes designed to better support senior leadership decision making.

Operational Test and Evaluation of the Continuous Diagnostics and Mitigation (CDM) Program in the Department of Homeland Security (DHS)

IDA is the independent Operational Test Agent (OTA) for the Continuous Diagnostics and Mitigation (CDM) acquisition program. The CDM program provides U.S. Federal Government departments and agencies with the cyber situational awareness critical for timely vulnerability mitigation. CDM also alleviates part of the burden of Federal Information Security Management Act reporting responsibilities by automating it. IDA provides operational effectiveness, suitability, and cybersecurity assessments to the DHS Director for Operational Test and Evaluation to support periodic acquisition decisions for CDM.

Operational Test & Evaluation of the National Cybersecurity Protection Systems (NCPS) In the Department of Homeland Security

The National Cybersecurity Protection System (NCPS) provides threat information collection and sharing capabilities and a layer of active network-based protection against cyber threats targeting Federal Executive Branch Department and Agency networks. DHS selected IDA as the Operational Test Agent (OTA) for the NCPS Information Sharing program (NCPS Block 2.2) and the NCPS Einstein 3 Accelerated program (NCPS Block 3 / E3A) because of its expertise in operational test and evaluation (OT&E) of automated information systems, information assurance, and network security. IDA researchers assisted in the development of operational requirements documents, concepts of operations documents, and failure definition and scoring criteria, providing operational insights on emerging requirements and procedures.

Strategic Analysis of Cybersecurity Data Flows

The DHS Deputy Assistant Secretary for Cybersecurity Strategy and Emergency Communications asked IDA to characterize information flow among and between government and private sector entities (consumers) and organizations that create, capture, transform, and distribute information on cyber and control system security vulnerabilities and threats. Focusing on six critical infrastructure sectors (i.e., communications, electricity subsector of energy, financial services, healthcare and public health, transportation systems, and water and wastewater), the IDA team used several tools to visualize and analyze the collected information, establishing connections among and between sector entities. The team analyzed cybersecurity threat information flow at the strategic, operational, and tactical levels, identifying products and services from government, for-profit, and nonprofit cybersecurity threat information providers. IDA developed the Cybersecurity Threat Information Sharing (CTIS) Framework – based on the recently released NIST Cybersecurity Framework – to help establish concepts, metrics, and measures to understand the cybersecurity threat information-sharing landscape. This work will help inform DHS policy and program decisions.

Threat Analysis for Critical Infrastructure Guidance/Risk and Risk Management Capabilities Development

The Homeland Security Act of 2003 and the Homeland Security Presidential Directive 7 call for the Department of Homeland Security to conduct comprehensive assessments of the nation's critical infrastructure as well as establish uniform policies, approaches, guidelines, and methodology for integrating Federal infrastructure and protection and risk management activities. In response, DHS initiated the National Comparative Risk Assessment (NCRA). IDA supported the NCRA through development and application of the Common Risk Model (CRM). The CRM defines risk as follows: Risk = (probability of attack) × (probability of attacker success given an attack) × (Attack Consequences). IDA Document D-3442, Information in Support of National Comparative Risk Assessment: Determining Probability of Success Given an Attack Volume 1: Main Report (September 2007), develops the method for determining probability of attacker success given an attack (P(S|A)) within the CRM, and presents initial estimates of P(S|A) across a broad range of scenarios. These scenarios include various land attacks, water-borne attacks, airplane attacks, and attacks using cyber means. The estimates were produced through guided discussions involving groups of subject matter experts (SMEs) and were validated by independent SME teams.

A subsequent paper, IDA Paper P-4226, National Comparative Risk Assessment Pilot Project; Cyber Intrusion Analysis-Process Control System (June 2007), describes in detail application of the Common Risk Model to cyber attacks. IDA’s cyber experts identified alternative cyber defensive configurations and assessed their robustness against a variety of cyber threats. IDA researchers then estimated the consequences for each of the potential threats, focusing on the likely effects of cyber attacks on oil, gas, and electrical infrastructures. The IDA work showed that: (1) cyber defensive configurations can be characterized using simple questionnaires; (2) data from actual accidents and incidents provides an excellent start for estimating consequences; (3) probabilities of success given an attack, while subjective, can be derived in a manner that allows useful comparative assessments of alternative cyber defense postures; and (4) owners of specific infrastructure assets should be engaged in creating return-on-investment models for security measures. This IDA work helped resolve an internal DHS debate about whether the Common Risk Model could be applied to cyber intrusion scenarios.

In 2010, DHS asked IDA to develop doctrinal guidelines for operationalizing a framework for quantifying risk, with a specific focus on quantitatively estimating the vulnerability of assets and systems comprising the nation’s critical infrastructure. IDA focused on vulnerability for three reasons. First, its definition and how it is applied to critical infrastructure is far less understood than the concepts of threat and consequence. Second, a sound approach for quantifying vulnerability will improve the methodologies for quantifying risk for critical infrastructure. Third, clearly defining vulnerability is key to developing commensurate risk metrics across the 18 critical infrastructure and key resources (CIKR) sectors. When systems vulnerability and asset vulnerability protected by layered defenses are compared side-by-side, the overall recommendation is to define vulnerability as the expected value of loss given a scenario occurrence in both cases. This requires that vulnerability for layered defenses be re-interpreted as the product of the joint probability of successfully penetrating all relevant defensive layers, and consequences. IDA sought to define a set of concepts and computational methods for quantifying vulnerability in a way that the resulting risk calculations produce commensurable risk metrics regardless of whether the risks are related to systems or isolated assets, or due to natural hazards or adversarial threats. See IDA Document D-4477, Doctrinal Guidelines for Quantitative Vulnerability Assessments of Infrastructure-Related Risk Volume 1 (December 2011).

Presentations, Articles, Publications:

PRESENTATION: Anti-Terrorism: Are there Borders in Cyber Space? at ASIS New York City Security Conference and Expo, April 27-28, 2016, hosted by IDA’s Dr. Deena Disraelly, Chair of the ASIS Global Terrorism, International Crime, and Political Instability Council; and featuring IDA Assistant Director Laura O’Dell.

PRESENTATION: Cybered Alliances, Spheres and Independents presented at the Center for Cyber Conflict Studies 3rd Biennial Workshop, U.S. Naval War College, September 22, 2015, Newport, Rhode Island, by IDA’s Dr. David Mussington who served as a panelist. U.S. Naval War College Public Affairs Article

PRESENTATION: Cybersecurity Workforce Panel: Discussions on opportunities to engage and grow the cybersecurity workforce hosted by IDA, August 2015, and featuring Renee Forney and Douglas Maughan, Department of Homeland Security; Robert Knake, Council on Foreign Relations; and Stephen Olechnowicz and Brendan Farrar-Foley, IDA ITSD.